diff options
author | Darren Tucker <dtucker@zip.com.au> | 2014-06-17 23:06:07 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2014-06-17 23:06:07 +1000 |
commit | 316fac6f18f87262a315c79bcf68b9f92c9337e4 (patch) | |
tree | 4ca56b926c75d844cf69b33461be32ae178e62e7 | |
parent | af665bb7b092a59104db1e65577851cf35b86e32 (diff) |
- (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
Move the OpenSSL header/library version test into its own function and add
tests for it. Fix it to allow fix version upgrades (but not downgrades).
Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
ok djm@ chl@
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | entropy.c | 11 | ||||
-rw-r--r-- | openbsd-compat/openssl-compat.c | 37 | ||||
-rw-r--r-- | openbsd-compat/openssl-compat.h | 4 | ||||
-rw-r--r-- | openbsd-compat/regress/.cvsignore | 3 | ||||
-rw-r--r-- | openbsd-compat/regress/Makefile.in | 6 | ||||
-rw-r--r-- | openbsd-compat/regress/opensslvertest.c | 69 |
7 files changed, 122 insertions, 16 deletions
@@ -1,3 +1,11 @@ | |||
1 | 20140617 | ||
2 | - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h} | ||
3 | openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}] | ||
4 | Move the OpenSSL header/library version test into its own function and add | ||
5 | tests for it. Fix it to allow fix version upgrades (but not downgrades). | ||
6 | Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150). | ||
7 | ok djm@ chl@ | ||
8 | |||
1 | 20140616 | 9 | 20140616 |
2 | - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via | 10 | - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via |
3 | OpenSMTPD and chl@ | 11 | OpenSMTPD and chl@ |
@@ -209,16 +209,7 @@ seed_rng(void) | |||
209 | #ifndef OPENSSL_PRNG_ONLY | 209 | #ifndef OPENSSL_PRNG_ONLY |
210 | unsigned char buf[RANDOM_SEED_SIZE]; | 210 | unsigned char buf[RANDOM_SEED_SIZE]; |
211 | #endif | 211 | #endif |
212 | /* | 212 | if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay())) |
213 | * OpenSSL version numbers: MNNFFPPS: major minor fix patch status | ||
214 | * We match major, minor, fix and status (not patch) for <1.0.0. | ||
215 | * After that, we acceptable compatible fix versions (so we | ||
216 | * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed | ||
217 | * within a patch series. | ||
218 | */ | ||
219 | u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; | ||
220 | if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || | ||
221 | (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) | ||
222 | fatal("OpenSSL version mismatch. Built against %lx, you " | 213 | fatal("OpenSSL version mismatch. Built against %lx, you " |
223 | "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); | 214 | "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); |
224 | 215 | ||
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 885c121f2..0e5f2cea5 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */ | 1 | /* $Id: openssl-compat.c,v 1.18 2014/06/17 13:06:08 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> | 4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> |
@@ -35,6 +35,41 @@ | |||
35 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS | 35 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS |
36 | #include "openssl-compat.h" | 36 | #include "openssl-compat.h" |
37 | 37 | ||
38 | /* | ||
39 | * OpenSSL version numbers: MNNFFPPS: major minor fix patch status | ||
40 | * We match major, minor, fix and status (not patch) for <1.0.0. | ||
41 | * After that, we acceptable compatible fix versions (so we | ||
42 | * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed | ||
43 | * within a patch series. | ||
44 | */ | ||
45 | |||
46 | int | ||
47 | ssh_compatible_openssl(long headerver, long libver) | ||
48 | { | ||
49 | long mask, hfix, lfix; | ||
50 | |||
51 | /* exact match is always OK */ | ||
52 | if (headerver == libver) | ||
53 | return 1; | ||
54 | |||
55 | /* for versions < 1.0.0, major,minor,fix,status must match */ | ||
56 | if (headerver < 0x1000000f) { | ||
57 | mask = 0xfffff00fL; /* major,minor,fix,status */ | ||
58 | return (headerver & mask) == (libver & mask); | ||
59 | } | ||
60 | |||
61 | /* | ||
62 | * For versions >= 1.0.0, major,minor,status must match and library | ||
63 | * fix version must be equal to or newer than the header. | ||
64 | */ | ||
65 | mask = 0xfff0000fL; /* major,minor,status */ | ||
66 | hfix = (headerver & 0x000ff000) >> 12; | ||
67 | lfix = (libver & 0x000ff000) >> 12; | ||
68 | if ( (headerver & mask) == (libver & mask) && lfix >= hfix) | ||
69 | return 1; | ||
70 | return 0; | ||
71 | } | ||
72 | |||
38 | #ifdef SSH_OLD_EVP | 73 | #ifdef SSH_OLD_EVP |
39 | int | 74 | int |
40 | ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type, | 75 | ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type, |
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 276b9706d..199dcc882 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */ | 1 | /* $Id: openssl-compat.h,v 1.27 2014/06/17 13:06:08 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> | 4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> |
@@ -22,6 +22,8 @@ | |||
22 | #include <openssl/rsa.h> | 22 | #include <openssl/rsa.h> |
23 | #include <openssl/dsa.h> | 23 | #include <openssl/dsa.h> |
24 | 24 | ||
25 | int ssh_compatible_openssl(long, long); | ||
26 | |||
25 | /* Only in 0.9.8 */ | 27 | /* Only in 0.9.8 */ |
26 | #ifndef OPENSSL_DSA_MAX_MODULUS_BITS | 28 | #ifndef OPENSSL_DSA_MAX_MODULUS_BITS |
27 | # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 | 29 | # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 |
diff --git a/openbsd-compat/regress/.cvsignore b/openbsd-compat/regress/.cvsignore index afbf7cc3f..33074f4a3 100644 --- a/openbsd-compat/regress/.cvsignore +++ b/openbsd-compat/regress/.cvsignore | |||
@@ -2,4 +2,5 @@ Makefile | |||
2 | snprintftest | 2 | snprintftest |
3 | strduptest | 3 | strduptest |
4 | strtonumtest | 4 | strtonumtest |
5 | 5 | closefromtest | |
6 | opensslvertest | ||
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in index bcf214bd0..dabdb0912 100644 --- a/openbsd-compat/regress/Makefile.in +++ b/openbsd-compat/regress/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $ | 1 | # $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $ |
2 | 2 | ||
3 | sysconfdir=@sysconfdir@ | 3 | sysconfdir=@sysconfdir@ |
4 | piddir=@piddir@ | 4 | piddir=@piddir@ |
@@ -16,11 +16,11 @@ LIBS=@LIBS@ | |||
16 | LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) | 16 | LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) |
17 | 17 | ||
18 | TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ | 18 | TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ |
19 | strtonumtest$(EXEEXT) | 19 | strtonumtest$(EXEEXT) opensslvertest$(EXEEXT) |
20 | 20 | ||
21 | all: t-exec ${OTHERTESTS} | 21 | all: t-exec ${OTHERTESTS} |
22 | 22 | ||
23 | %$(EXEEXT): %.c | 23 | %$(EXEEXT): %.c $(LIBCOMPAT) |
24 | $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS) | 24 | $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS) |
25 | 25 | ||
26 | t-exec: $(TESTPROGS) | 26 | t-exec: $(TESTPROGS) |
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c new file mode 100644 index 000000000..5d019b598 --- /dev/null +++ b/openbsd-compat/regress/opensslvertest.c | |||
@@ -0,0 +1,69 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2014 Darren Tucker | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | #include <stdio.h> | ||
18 | #include <stdlib.h> | ||
19 | |||
20 | int ssh_compatible_openssl(long, long); | ||
21 | |||
22 | struct version_test { | ||
23 | long headerver; | ||
24 | long libver; | ||
25 | int result; | ||
26 | } version_tests[] = { | ||
27 | /* built with 0.9.8b release headers */ | ||
28 | { 0x0090802fL, 0x0090802fL, 1}, /* exact match */ | ||
29 | { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */ | ||
30 | { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */ | ||
31 | { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */ | ||
32 | { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */ | ||
33 | { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */ | ||
34 | { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */ | ||
35 | |||
36 | /* built with 1.0.1b release headers */ | ||
37 | { 0x1000101fL, 0x1000101fL, 1},/* exact match */ | ||
38 | { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */ | ||
39 | { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ | ||
40 | { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ | ||
41 | { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */ | ||
42 | { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */ | ||
43 | { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */ | ||
44 | { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */ | ||
45 | }; | ||
46 | |||
47 | void | ||
48 | fail(long hver, long lver, int result) | ||
49 | { | ||
50 | fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result); | ||
51 | exit(1); | ||
52 | } | ||
53 | |||
54 | int | ||
55 | main(void) | ||
56 | { | ||
57 | unsigned int i; | ||
58 | int res; | ||
59 | long hver, lver; | ||
60 | |||
61 | for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) { | ||
62 | hver = version_tests[i].headerver; | ||
63 | lver = version_tests[i].libver; | ||
64 | res = version_tests[i].result; | ||
65 | if (ssh_compatible_openssl(hver, lver) != res) | ||
66 | fail(hver, lver, res); | ||
67 | } | ||
68 | exit(0); | ||
69 | } | ||